Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.
Setting up LDAPS on Windows 2008
Hello,
I followed the directions here: http://support.microsoft.com/kb/321051 to set up LDAPS. I used a certificate purchased from GoDaddy. After rebooting, I cannot get the connection to work using ldp.exe. I'm thinking maybe my certificate was configured incorrectly?
The name of the server is DNSSrvr1. The DN for the server is CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-------------------------
The certificate came back from GoDaddy for "DNSSrvr1", not the entire DN, could that be an issue?
I put the certificate in the Local Computer Personal container.
When I run the ldp.exe utility, entering either the name of the server or the IP of the server, trying them in combination with both port 636 and 3269, I get Error <0x51>: Fail to connect to DNSSrvr1.
Any ideas? I'm not quite sure where to go from here. I hate to go through the process of re-requesting the certificate if that isn't the issue.
Thank you,
Christine
I followed the directions here: http://support.microsoft.com/kb/321051 to set up LDAPS. I used a certificate purchased from GoDaddy. After rebooting, I cannot get the connection to work using ldp.exe. I'm thinking maybe my certificate was configured incorrectly?
The name of the server is DNSSrvr1. The DN for the server is CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=DNSSrvr1,OU=Domain Controllers,DC=mydomain,DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-------------------------
The certificate came back from GoDaddy for "DNSSrvr1", not the entire DN, could that be an issue?
I put the certificate in the Local Computer Personal container.
When I run the ldp.exe utility, entering either the name of the server or the IP of the server, trying them in combination with both port 636 and 3269, I get Error <0x51>: Fail to connect to DNSSrvr1.
Any ideas? I'm not quite sure where to go from here. I hate to go through the process of re-requesting the certificate if that isn't the issue.
Thank you,
Christine
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hello. This is actually the article I used to set this up. I also tried the SSL checkbox. I get the following error with that:
ld = ldap_sslinit("DNSSrvr1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DNSSrvr1.
ld = ldap_sslinit("DNSSrvr1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DNSSrvr1.
Try this in ldp:
Connection - Bind - enter your username/password/domain
Connection - Connect - DNSSvr1/636/ do not check connectionless / do check SSL
Connection - Bind - enter your username/password/domain
Connection - Connect - DNSSvr1/636/ do not check connectionless / do check SSL
Still a no go. I can connect if I use port 389 (non-SSL), but otherwise, I still get the same error.
For your subject CN, instead of the hostname use the FQDN.
You don't want your DC cert to be exportable, but that shouldn't cause the issue - just a recommendation.
You will want to get a "SAN" cert from GoDaddy and include the info from the last line in that - GoDaddy has them for under 100 bucks. You want the following info:
server1.domain.local (same as subject - include this as first entry)
ldap.domain.local
server1 (if hostname is allowed by commercial CA)
192.168.0.1 (if IP address is public, or if internal IP is allowed by CA - uncommon)
Here's the .inf that we use here for our LDAP certs.
To create CSR file run this from cmd
certreq -new policy.inf YourServer.csr
If issuing from your own internal CA run this from cmd
certreq -submit -config CASERVER.DNS.NAME\CAName YourServer.csr YourServer.cer
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=DC1.YourDomain
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
; OID=1.3.6.1.4.1.311.20.2.2
[RequestAttributes]
; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local&
You don't want your DC cert to be exportable, but that shouldn't cause the issue - just a recommendation.
You will want to get a "SAN" cert from GoDaddy and include the info from the last line in that - GoDaddy has them for under 100 bucks. You want the following info:
server1.domain.local (same as subject - include this as first entry)
ldap.domain.local
server1 (if hostname is allowed by commercial CA)
192.168.0.1 (if IP address is public, or if internal IP is allowed by CA - uncommon)
Here's the .inf that we use here for our LDAP certs.
To create CSR file run this from cmd
certreq -new policy.inf YourServer.csr
If issuing from your own internal CA run this from cmd
certreq -submit -config CASERVER.DNS.NAME\CAName YourServer.csr YourServer.cer
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=DC1.YourDomain
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
; OID=1.3.6.1.4.1.311.20.2.2
[RequestAttributes]
; CertificateTemplate = WebServer ;Change to appropriate template name or OID ;Omit line if CA is a stand-alone CA or commercial or other non-MS CA
; SAN = "dns=server1.domain.local&
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Contact godaddy and ask to upgrade the order from the standard SSL to a SAN cert - I think they refund completely within 14 days if memory serves.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Also, make sure you are 1) running a current version of LDP, which you can tell if 2) you enabled the SSL checkbox in the connect box (appears under "connectionless").